1. It can't just change. Someone has to initiate something. I would expect you would need at least read (view) access through the chain down to your specific DB you want to manage. Anything not in that chain you probably don't need access to. Specifically it sounds like you need read down to your admingroup and then some level higher at that point down.
2. Ah sorry. I was making assumption you were ent admin. I won't answer the second question of this directly. Instead I will say the correct answer is you need to go grab one of the ent admins and say HELP! And have them walk through the perms with you or email you a doc with the perms (a simple dsacls dump would be fine). In the meanwhile, ANYONE playing with the ACLs in the Exchange container is a brave (or something else) soul. Exchange is one of those things that you kind of want to launch and not muck with a whole lot it seems. There is a lot of stuff that shouldn't hurt it which can sometimes have deleterious affects and no one seems to know why. This actually isn't a complete rip on Exchange, it is just that the product is that complex and I haven't met anyone who has the great big picture on how it all works and what it needs to be happy. It is dependent on another great big complex product with the same issue. On the sep forest, I completely understand. If you don't have that, and probably even if you did, you need to get the communication going. It is critical, you have one organism there, Active Directory, everyone needs to be working together to make sure it works properly. Alternatively it needs to be locked down very well and the people with almighty control need to keep their hands in a box so they don't touch anything, even by accident and even if it shouldn't hurt anyone. :o) Politics is always the worst part of the whole thing. Most technical issues have solutions or can be worked around, politics is another matter and the solution tends to be someone gets shot. In the end, you hope the right person but more often than not that doesn't seem to be the case. <eg> At this point, you really need to call the ent admins up on the bat phone and say, hey listen, something isn't right here. Could you guys help troubleshoot or find out why I can't see past X container in the Exchange Services area or at the very least send me some dumps of info I need? joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 4:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness i checked the perms thru adsiedit- blackberry account(ex view only admin according to ESM)- has all the appropriate rights except no entry at the ORG container and at the Administrative groups container. Domain admins in child domain with similliar issues(ex full admin according to ESM)- same thing Now, the questions- 1.how could this just change? I know the root domain guys took us out of the Exchange org and used the delegation wizard to give us full access to our admin group thru ESM. same thing for the blackberry account, except view only. do we still need to be delegated something at the org level? it would seem to be so. to be able to administer our admin group, would we still need some rights on the org level? 2. how can i take ownership with no rights on an object. can a domain admin in a child domain write to the config container of a forest? This is why i want our own forest. If you see my previous threads, its always about how to break away from the forest or what a child domain admin can or can't do without enterprise admin access, dependency on the root, etc. we always have issues with the guys on top screwing us up on the bottom and the serious lack of communication. they seem to think that as child domain admins we can't screw THEM. i'm trying to convince my CIO to beak away or at least ask for enterprise admin rights. I want to at least show them that we can screw them up or get access to enterprise admin so they would then give us this access or we would leave the forest(since as a sister corp, we are on equal footing with them in everyway. its just politics). thank you guys so much for all your help. -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 4:05 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Everything I read in this chain is definitely saying permission issues. Note that the main permissions for Exchange are iun the config container. Anyone from any domain that has permissions to that container can be dangerous. Including domain admins of children domain. The fact that you can't even read the permissions from a certain level on is screaming someone changed the permissions AT THAT level. The fun thing is if you don't have permissions to see the permissions, you will have to take ownership to see them or figure out what account has the perms necessary to see them. Once you can see them, then you can figure out how bad it is. I would personally try to do a dsacls dump of each layer under the Exchange Services level and see where the perms start locking down. Again, you may have to take ownership at some point to see anything. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, May 28, 2004 2:52 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Checking this document, can you verify what permissions are associated with the BB account? http://support.microsoft.com/default.aspx?scid=kb;en-us;823018 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 2:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness they added an exchange2k3 server and a win2k3 dc. how would that change things? in my child domain, i'm a full exchange admin and can see everything. in another domain, the exchange full admins can't see anything. and of course the view only blackberry service account can't see anything in my domain. all our dc's are at sp 3 or 4. how would installing exchange2k3 or win2k3 change the security on the config container as to diallow viewing for one domain and not another? thats the only change made according to them... i'm very confused. thanks for yor continuing help in this. i really appreciate it. -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 2:13 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness They could have added an Exchange 2k3 server for starters :) Nothing is logged on the Exchange server or the DC/GC when you try to access that information? Is audit logging turned on? Did they upgrade the root domain as well? Those permissions are set on the configuration container and you should have view rights to them as a delegated admin. If you don't, then something has changed and seems to be recurring. Check with the root folks to see what's changed in the last few days in the root domain. What was added etc? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness According to RIM, its a premissions error(duh). they suggested upgrading the mapi32.dll and cdo.dll to the same version as the exchange server. while the blackberry service is now starting, i still can't see anything in exchange system manager or adsiedit logged in as the blackberry account. there is nothing logged on the exchange server. no replication errors on any of my DC's. or the ones in the root. have'nt spoken to the guys in the root, but what could they do to change things if the account seems ok in ESM? thanks -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 10:42 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness There would be an event logged on the Exchange server if your membership were incorrect. Depending on version, this would be different. Have you checked with the root folks to see if they've done anything lately? How's replication working? Interested to hear what RIM comes back with as well. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness the bb service logs an application specfic error(i'm trying to find out its meaning from RIM). there is nothing in the other logs. the bb service is a member of the local admin group on the server and domain users, thats it. exchange "view only admin" is delegated directly to the bb acount on our admin group. the other delegation is "full exchange admin" to the domain admins group. where would i check for changes to the Exchange domain servers/enterprise servers groups? or errors in group membership? as per my pervious post, rthis kind of thing has happened before to the domain admins which had full exchange admin rights delegated directly to them. thanks -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 10:02 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness What's the error messages when the service tries to start? What's in the security and application and system logs? What groups is the bb service a member of completely? Which one is delegated exchange rights and how does that compare with the service account? I think that's a good place to start troubleshooting this. I think you should also look for any errors indicating a change in server group membership and any changes to the Exchange domain servers and enterprise servers groups. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Friday, May 28, 2004 9:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT:EXCHANGE weirdness here's the deal- i've had this samething happen to a child domain. the domain admins had full exchange admin rights on their admin group. however, when you open up exchange system manager, you could'nt see anything. In adsiedit, if you looked in the exchange services container in the configuration partition, you could'nt look deeper than the org. there was nothing there. and if you wanted to look at the acl's of the org, it was empty. STILL, in exchange system manager, you saw they had full exchange admin rights(and i'm not talking about recieve as, to open a mailbox. i just mean full rights to view and administer their admin group.). this was never resolved. Now i have the same issue in my child domain with the blackberry service account. I'm the only one who administers this domain and nothing was changed. really. is there an explicit deny somewhere? how would i find it? tgere's nothing in the security log on the blackberry server. this is the kind of stuff that keeps me up all night. could someone have done something at the root? we have no gpo on our domain, dc, or site that would cause this. i checked them all, including the local one on the server. what the heck is going on here? this is twice now with 2 seperate domains!!! both domains are mixed mode running win2k. the root domain is native mode. exchange 2k is native mode. all servers are win2k except on win2k3 server in the root and an exchange2k3 server, also in the root. thanks -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Friday, May 28, 2004 9:09 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] OT:EXCHANGE weirdness Permissions get changed all the time. Monitoring the DC's for group membership changes has been helpful here. You'd be surprised what people think is a good idea ;) As for permissions, putting that account in domain admins is likely the wrong thing to do. If you look in the security logs, you'll likely find a clue to the answer as to why it won't start. My guess is that it has conflicting permissions. By default Exchange 200x doesn't allow administrators and other admins the ability to log into to peoples mailboxes. That may be preventing the service from starting. Could also be a GPO change or other I'm sure, but I'd start with the event logs to see why it won't start. Al -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 27, 2004 8:20 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT:EXCHANGE weirdness i have a user(blackberry service account) who has full exchange admin rights on our admin group, now suddenly(i know there is no "now suddenly", but nothing changed, honest), blackberry service wont start and when i open exchange manager, i can't see any admin group logged in as the blackberry account. when i log in as another account, i can see everything. i put the bb account into domain admins, and still same thing. why? and more importantly, how do permissions and roles get lost like that? I'm running a win2k ad mixed mode and exchange 2k native mode. thanks List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
